Installing Edge SSO for high availability

You install multiple instances of Edge SSO for high availability in two scenarios:

In a single data center environment, install two Edge SSO instances to create a high
availability environment, meaning the system continues to operate if one of the Edge SSO
modules goes down.

In an environment with two data centers, install Edge SSO in both data centers so that the
system continues to operate if one of the Edge SSO modules goes down.

Install two Edge SSO modules in the same
data center

You deploy two instances of Edge SSO, on different nodes, in single data center to support
high availability. In this scenario:

Both instances of Edge SSO must be connected to the same Postgres server. Apigee recommends
using a dedicated Postgres server for Edge SSO and not use the same Postgres server that you
installed with Edge.

You require a load balancer in front of the two instances of Edge SSO:

The load balancer must support application generated cookie stickiness, and the session
cookie must be named JSESSIONID.

Configure the load balancer to perform a TCP or HTTP health check on Edge SSO. For TCP,
use the URL of Edge SSO:

http_or_https://edge_sso_IP_DNS:9099

Specify the port as set by Edge SSO. Port 9099 is the default.

For HTTP, include /healthz:

http_or_https://edge_sso_IP_DNS:9099/healthz

Some load balancer settings depend on whether you enabled HTTPS on Edge SSO. See the
following sections for more information.

Using HTTP access
to Edge SSO

If you are using HTTP access to Edge SSO, then configure the load balancer to:

Use HTTP mode to connect to Edge SSO

Listen on the same port as Edge SSO

By default, Edge SSO listens for HTTP requests on port 9099. Optionally, you can use
SSO_TOMCAT_PORT to set the Edge SSO port. If you used SSO_TOMCAT_PORT
to change the Edge SSO port from the default, ensure that the load balancer listens on that
port.

For example, on each Edge SSO instance you set the port to 9033 by adding the following to the
config file:

SSO_TOMCAT_PORT=9033

You then configure the load balancer to listen on port 9033 and forwarding requests to an Edge
SSO instance on port 9033. The public URL of Edge SSO in this scenario is:

http://LB_DNS_NAME:9033

Using HTTPS access
to Edge SSO

You can configure the Edge SSO instances to use HTTPS. In this scenario, follow the steps in
Configure apigee-sso for HTTPS access. As
part of the process of enabling HTTPS, you set SSO_TOMCAT_PROFILE in the Edge SSO
config file as shown below:

SSO_TOMCAT_PROFILE=SSL_TERMINATION

You can also optionally set the port used by Edge SSO for HTTPS access:

SSO_TOMCAT_PORT=9443

If you are using HTTPS access to Edge SSO, then configure the load balancer to:

Use TCP mode, not HTTP mode, to connect to Edge SSO

Listen on the same port as Edge SSO as defined by SSO_TOMCAT_PORT

You then configure the load balancer to forward requests to an Edge SSO instance on port 9433.
The public URL of Edge SSO in this scenario is:

https://LB_DNS_NAME:9443

Install Edge SSO in multiple data centers

In a multiple data center environment, you install an Edge SSO instance in each data center.
One Edge SSO instance then handles all traffic. If that Edge SSO instance goes down you can then
switch to the second Edge SSO instance.

Before you install Edge SSO in two data centers, you need the following:

The IP address or domain name of the Master Postgres server.

In a multiple data center environment, you typically install one Postgres server in each data
center and configure them in Master-Standby replication mode. For this example, data
center 1 contains the Master Postgres server and data center
2 contains the Standby. For more information, see Set up Master-Standby Replication for
Postgres.

A single DNS entry that points to one Edge SSO instance. For example, you create a DNS
entry in the form below that points to the Edge SSO instance in data center 1:

my-sso.domain.com => apigee-sso-dc1-ip-or-lb

When you install Edge SSO in each data center, you configure both to use the Postgres Master
in data center 1: